From 30b4faa65c68e30b0a1006b1ca3c826eb90fbf01 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sat, 27 Dec 2025 15:10:06 +0800
Subject: [PATCH] :bug: Attribute values are not escaped
 https://github.com/siyuan-note/siyuan/issues/16686

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/model/blockial.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/model/blockial.go b/kernel/model/blockial.go
index 2efd41bb1..b333c81c1 100644
--- a/kernel/model/blockial.go
+++ b/kernel/model/blockial.go
@@ -26,6 +26,7 @@ import (
 	"github.com/88250/gulu"
 	"github.com/88250/lute/ast"
 	"github.com/88250/lute/editor"
+	"github.com/88250/lute/html"
 	"github.com/88250/lute/parse"
 	"github.com/araddon/dateparse"
 	"github.com/siyuan-note/siyuan/kernel/cache"
@@ -277,7 +278,7 @@ func setNodeAttrs0(node *ast.Node, nameValues map[string]string) (oldAttrs map[s
 			// 删除大小写完全匹配的属性
 			delete(newAttrs, name)
 			// 保存小写的属性 https://github.com/siyuan-note/siyuan/issues/16447
-			newAttrs[lowerName] = value
+			newAttrs[lowerName] = html.EscapeAttrVal(value)
 		}
 	}